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A method and system for detecting unauthorized account 
access. The system may operate in conjunction with known 
methods of remote access authentication. The system pro- 
vides a unique account for each authorized person (i.e., each 
user) and a system sequence number and a user sequence 
number for each account For each access to the account, the 
system updates the system sequence number corresponding 
to that account to the next number in a preselected sequence, 
and the user updates the user sequence number in like 
manner. The preselected sequence comprises a sequence of 
pseudorandom numbers and the update comprises selecting 
the next pseudorandom number using a pseudorandom num- 
ber generator, but the sequence number may be updated 
using other techniques, so long as the system and the user are 
both capable of performing the same updates. The system 
and the user perform a handshake process, to assure that the 
system updates the system sequence number, and the user 
updates the user sequence number, in synchrony. Normally, 
the system sequence number and the user sequence number 
will be the same, but when there is an authorized access by 
third party the system will update the system sequence 
number and the user will not update the user sequence 
□umber, causing the two sequence numbers to be unequal. 
When the two sequence numbers are unequal, when the user 
next accesses the account, the user is made aware that an 
unauthorized access has occurred. 

14 Claims, 7 Drawing Sheets 
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SYSTEM FOR DETECTING U.S. Pat. No, 5343,519, "Autodialer with PIN Feature", 

UNAUTHORIZED ACCOUNT ACCESS issued Aug. 30, 1994, in the name of Peter Fcldman, shows 

an autodialing device which records credit card numbers, 

BACKGROUND OF THE INVEPOTON personal identification numbers, and telephone numbers in a 

1. Field of the Invention 5 memory, and which may be used to transmit those numbers 
This invention relates to a method and system for detect- on telephone connections and to automated teller machines. 

ing unauthorized account access The device sends these numbers much faster than a person 

2. Description of Related Art could key them in, and does not require that the person must 
Advances in comrniinications and in computing have ^ y th«n in while being watched which provides a measure 

. , . • ~~T . . . 6 , io of security against unauthorized persons who might be 

caused businesses and other organizations to offer remote .... ' . fc . 

. c ~ . - listening or watching. 

access, i.e., access by means of a communication medium 

such as a telephone network, to a variety of goods and US - **■ ^.5361,062, "Personal Security System", 

services. Because remote access does not involve face-to- issued Nov - 1994 ' « the name of Kenneth P. Weiss et ai 

face contact, it is generally necessary to authenticate the and assigned to Security Dynamics Technologies, Inc., 

person seeking access. Such authentication may comprise 15 shows a metho<i 80(1 s y stcm for verifying the identity of a 

having the person seeking access providing some authenti- USCT - "» w ^ ch Mch USCT " » token wmch d My« « 

cation information (such as an account number or a credit pseudorandom sequence of values, m response to a seed and 

card or debit card number). Because information such as m mtcrnal ™ e ^ ^qutnlly demand the 

account numbers is often easy for unauthorized persons to „ "»! Pseudorandom value from the user, who simply 

obtain, the person seeking access must typically also supply 20 ^ ? ^ mus ""S^S Possession of the token, 

some hidden authorization information, such as a password. While each of these known methods of access control 

One problem which has arisen in the art of remote access achieves the purpose of preventing access by unauthorized 
is that it is soinetimes possible for unauthorized persons to persons, they are generally subject to two drawbacks: (1) 
obtain the hidden authorization information. First, unaumo- Unauthorized persons who have obtained the hidden autho- 
rized persons may simply guess the hidden authorization "nation information (or duplicated any physical circuits 
information; this can occur when the hidden authorization needed for access) may still obtain access. (2) In the 
information is relatively short, such as a password or a circumstance that access is compromised, the authorized 
bank-access card "PIN" (personal identification number). person is not necessarily made aware of that compromise. 
Second, unauthorized persons may monitor electronic com- - ft In circu ms ta n ces where remote access is for goods or 
munications by the authorized person for the hidden autho- services which require payment, either the authorized person 
rization information; this can occur for cellular telephones (toe customer) or the service provider ends up paying for the 
and similar devices. When unauthorized persons construct a goods or services consumed by unauthorized persons who 
duplicate cellular telephones with a copy of the hidden obtained unauthorized access. This may be discovered when 
authorization information, this is called "cloning" and the „ mc service provider bills the customer for the unauthorized 
duplicate cellular telephone is called a Mone^ Third, unau- goods or services. Accordingly, it would be desirable to 
thorized persons may simply bribe employees of the service determine as soon as possible after any unauthorized access 
provider, or other persons having access to the hidden occurs, in particular, before any further unauthorized distri- 
authorization information. bution of access information. 

Known methods of access control have been reasonably ^ Another problem which has arisen in the art is that since 

successful at preventing access by unauthorized persons, but the authorized person generally is not informed of the 

are generally unable to prevent access by unauthorized unauthorized access (until receiving a cellular telephone 

persons who have obtained the hidden authorization infor- bill), the information to create the cloned device is valuable 

mation. Because it is possible for unauthorized persons to to unauthorized persons, but only for a relatively short time, 

obtain the hidden authorization information, known methods ^ Accordingly, this cloning information may be further dis- 

of access control have the drawback that the authorized tributed by the creator of the clone, and redistributed by 

person may not be aware that unauthorized persons have others receiving the cloning information. The cloning infor- 

obtained access. mation may thus be quite widely distributed, sometimes 

Some examples of known methods of access control in resulting in hundreds or thousands of clones, 

telephone communication systems are as follows: 50 Accordingly, it would be desircable to provide a method 

VJS. Pat, No. 4,860,341, "Radiotelephone Credit Card and system for automatically preventing unauthorized 

Call Approval Synchronization", issued Aug. 22, 1989, account access by numerous unauthorized devices, 

shows a system in which a credit card is used to place Known methods of communication exist for determining 

cellular telephone calls, using a cellular telephone with a if messages, or portions of messages, have been lost or 

credit card reader. In this system, authentication requires a 55 damaged. For example, .the Kerberos V5 system, as 

separate call to a verification and billing computer systcm to described in Kaufman, Network Security: PRIVATE Com- 

authenticate the credit card before the user is allowed to munication in a PUBLIC World, optionally inserts a 

access the cellular telephone network. sequence number in message packets so that messages 

VS. Pat No. 5,249,230, "Authentication System", issued which are lost or out-of-order may be detected. While this 

Sep. 28, 1993, in the name of Thomas J. Mihm, Jr., and 60 method achieves the purpose, of detecting lost or out-of- 

as signed to Motorola, Inc., shows a system which receives order messages, It is still subject to the drawbacks noted for 

an equipment ID for each user terminal and uses a secret key known methods of authentication. In particular, although 

to encrypt the equipment ID with a user ID and an error credentials messages are identified with sequence numbers, 

detection code, to form an encrypted block. The encrypted there is no mechanism for detecting and reporting successful 

block is programmed into a physical authentication module 65 access by unauthorized persons. 

which is physically distributed and installed at the user Accordingly, it would be desirable to provide a method 

terminal, about once per month. and system for automatically detecting unauthorized 
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account access and automatically preventing unauthorized Application Ser. No. 08/485,261, filed Jim. 7, 1995, in the 

account access by duplicate account access devices. name of the same inventor as the present application, 

titled "Low Power Bar Code Wand", now U.S. Pat No. 

SUMMARY OF THE INVENTION 5,607,616. 

^ . . iL . , ^ , 5 These applications are each hereby incorporated by ref- 

The invention provides a method and system for detectmg J«f m sct forth heron; and are referred to 

unauthorized account access. In a preferred embodiment, the ^11^^ herein as the "incorporated disclosures", 
system may operate in conjunction with known methods of 

remote access authentication. The system provides a unique REMOTE ACCESS TO A SERVICE PROVIDER 

account for each authorized person (Le., each user) and a FIG. 1 shows a system for remote access to a service 

system sequence number and a user sequence number for 10 provider by a user. 

each account For each access to the account, the system in a preferred embodiment, a system for remote access to 
updates the system sequence number corresponding to mat a service provider by a user may be used in conjunction with 
account to the next number in a preselected sequence, and inventions shown in the incorporated disclosures. The sys- 
the user updates the user sequence number in like manner. tern comprises a central computer system 100 for storing 
Preferably, the preselected sequence comprises a sequence 15 authorization and verification information about users. The 
of pseudorandom numbers and the update comprises select* central computer system 100 is coupled using a communi- 
ing the next pseudorandom number using a pseudorandom cation path 101 to a local computer system 110, for per- 
il umber generator, but in alternative embodiments the forming authorization and verification of users, 
sequence number may be updated using other techniques, so Preferably, there is more than one local computer system 
long as the system and the user are both capable of per- U q ^ ^ coupled to the central computer system 100 
forming the same updates. by a corresponding conuniinication path 101, However, in 
In a preferred embodiment, the system and the user alternative embodiments, there may be only a single local 
perform a handshake process, to assure that the system computer system 110 or a plurality of local computer 
updates the system sequence number, and the user updates ^ systems 110 may multiplex or otherwise share a single 
the user sequence number, in synchrony. Normally, the communication path 101. Moreover, there is no special 
system sequence number and the user sequence number will requirement that the central computer system 100 must be 
be the same, but when there is an unauthorized access by physically remote from the local computer systems 110, or 
third party the system will update the system sequence that it must be physically located in some "central" place. 
Dumber and the user will not update the user sequence 3Q Similarly, there is no special requirement that the local 
Dumber, causing the two sequence numbers to be unequal. computer systems 110 must be physically 'local" to any- 
Whcn the two sequence numbers are unequal, when the user thing in particular. 

next accesses the account, the user is made aware that an in a preferred embodiment, the communication path 101 

unauthorized access has occurred comprises a telephone connection using a telephone net- 

„ , „ , . „„„„ _ . -c work. However, those skilled in the art would recognize, 

BRIEF DESCRIPTION OF THE DRAWINGS 35 after perusal of this application, that the communication path 

FIG. 1 shows a system for remote access to a service 101 may comprise any means for c ommuni cation, including 

provider by a user. a cellular telephone connection, a radio telephone 

FIG. 2 shows a system for credit card or debit card connection, a local or wide-area computer network 

verification and authorization. 40 connection, or some other communication medium. 

FIG. 3, comprising FIG. 3A and FIG. 3B coUectively, ^ . local ct ^ ma s y stem U0 ' for ? rovidin S "jj" t0 

. ' ^ „ 6 . ~T TV T; ^ users, is coupled using a communication system 120 to a 

shows a process flow diagram of a method for detecting * . * „«, ^„ ♦„ 

,.«.,itfc«r*™«i k,t ^Z,^ user ^vice for communicating user commands to the 

unauthorized access by cloned devices, . . . „ A , , r . . ... , 

7 local computes system 110 and information from the local 

FIG. 4, comprising FIG. 4A, FIG. 4B, and FIG. 4C 45 computer system 110 to the user. Preferably, there is more 

collectively, shows a data flow diagram of a method for ^ onc uscr device 130 (and there is preferably more than 

electronic signature. one user) each is coupled to the conmiunication system 

DESCRIPTION OF THE PREFERRED U0 ' H ° WCVCT ' in alternative embodiments, there may be 

EMBODIMENT y 3 user device 130, or the local computer system 

50 110 may use a plurality of communication systems 120 for 

In the following description, a preferred embodiment of coupling to user devices 130. 

the invention is described with regard to preferred process The local processor comprises a microprocessor having 

steps and data structures. However, those skilled in the art memory for programs and data, and comprising a protected 

would recognize, after perusal of this application, that memory for storing information which it is desired should 

embodiments of the invention may be implemented using 55 not be compromised even if, the user device were lost or 

one or more general purpose computers operating under stolen. The protected memory comprises a memory that will 

program control, and that modification of such general self-erase if it is forcibly opened, so that it cannot be read 

purpose computers to implement the process steps and data other than in the ordinary course of using the user device, 

structures described herein would not require undue inveo- Such protected memories are known in the art of semicon- 

tion. go ductor manufacture. In a preferred embodiment, for 

The present invention may be used in conjunction with example, information private to the user, such as account 

inventions disclosed in the following co-pending applica- numbers, account passwords, and credit card numbers, is 

tions. encrypted for transmission stored in an encrypted form in 

Application Ser. No. 08/482,261, filed Jun. 7, 1995, in the ordinary data memory, with parameters for decrypting that 

name of the same inventor as the present application, 65 information recorded in the protected memory, 

titled "Bar Code Wand and Sound Communication In a preferred embodiment, the communication system 

System"; and 120 is a telephone network, to which the user devices 130 
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make individual telephone connections 13 L Hie individual A method 300 for detecting unauthorized access by 

telephone connections 131 may comprise land-line tele- cloned devices comprises a handshake protocol with a set of 

phone connections, cellular telephone connections, or other user steps 311 through 320 to be performed by the user and 

. telephone connections. However, those skilled in the art will a set of system steps 321 through 331 to be performed by the 

recognize, after perusal of this application, that the commu- 5 system (the central computer system 100 and the local 

oication system 120 may comprise any means for computer system 110). The user steps 311 through 320 are 

communication, including a cellular telephone network, a generally performed by the user device 130 shown in FIG. 

radio telephone network, a local or wide-area computer 1 or the card reader 210 shown in FIG. 2, while the system 

network, a communication satellite, or some other commu- steps 321 throu gh 330 are generally performed by the central 

nication medium. lQ computer system 100 and the local computer system 110 

As described in further detail with regard to FIG. 3, each shown in FIG. 1 and FIG. 2. 

user uses a user device 130 to communicate with the local At a step 311, the user activates the user device 130. A 

computer system 111 for providing services, and each user preferred user device comprises a microprocessor and a 

device 130 uses a communication system 120 to communi- communication element coupled to the telephone line inter- 

cate with the local computer system 110. The local computer face> m ^processor comprises a processor, program 

KfV* mcates t usm « the cor^^on path d ^ (including nonvolatile protected nWy), 

101 with the central computer system 100 for authenticating a ^ ^SLiJSa^ a tuncTiDpot/o^t^d 

a signal interface for an interrupt signal These components 

CREDIT CARD OR DEBIT CARD of microprocessors are known in the art of computing. The 

VERIFICATION AND AUTHORIZATION a communication dement comprises a modem, a DTMF tone 

FIG. 2 shows a system for credit card or debit card generator, a CPTD element and a serial interface for cou- 

verifi cation and authorization. pling to the microprocessor. In a preferred embodiment, the 

A system 200 for credit card or debit card verification and user device 130 initiates the method 300 each time it is 

authorization comprises a central computer system 100 for powered up or it accesses the local computer system 110, 

authorization and verification of accounts, a local computer 25 aQ d may further initiate the method 300 after selected 

system 110 far providing services, a communication path intervals of time, e.g., once every eight hours while it 

101 coupling the central computer system 100 and the local remains powered up. However, those skilled in the art will 

computer system 110, and a communication system 120, like recognize, after perusal of this application, that there are no 

that described with regard to FIG. 1. specific times when the method 300 must be initiated, and 

The system 200 further comprises a card reader 210 into M that selection of various times for initiation of the method 

which a card 220 can be placed. Preferably, the card 220 is are within the scope and spirit of the invention, 

a credit card or a debit card, but in alternative embodiments At a step 312, the user device 130 contacts the central 

the card 220 may be an authorization card, an identification computer system 100 using the local communication system 

card, or another card for the purpose of authentication of the 120. This step 312 is performed by coupling a telephone 

authorized person, such as a customer. 35 handset to the telephone connection 131 and dialing a 

The card reader 210 is coupled to the communication telephone number associated with the local computer system 
system 220 using a telephone connection 131 like that 110. Preferably, the user device 130 automatically makes the 
described with regard to FIG. 1. Thereafter, as described in connection and automatically dials the telephone number 
further detail with regard to FIG. 3, the card reader 210 uses However, those skilled in the art will recognize, after perusal 
the communication system 120 to communicate with the 40 or " this application, that this step 312 may comprise any 
local computer system 110 for providing services. The local method of contacting the central computer system 100, 
computer system 110 communicates using the communica- including a cellular telephone connection, a radio telephone 
tion path 101 with the central computer system 100 far connection, or a local or wide-area computer network con- 
authenticating users. nection. 

As the technique shown with regard to FIG. 3 involves 45. At a step 313, the user device 130 bundles together a 

recording a sequence number by the user (or the user device unique identifier for itself (a "device ID"), a unique identifier 

130), the card reader 210 is preferably also capable of for a user account for which it seeks authentication (an 

writing data to the card 220, and the card is preferably also "account ID"), and a sequence number, into a sign-on 

capable of receiving and storing such data. message, encrypts that sign-on message with an encryption 

In a simple alternative embodiment, the credit card reader 50 technique, and transmits the encrypted sign-on message to 
210 may present the sequence number to the user (or the user the central computer system 100. The encrypted sign-on 
device 130) for verification, using either audio or visual message is further described with regard to FIG. 4. 
means. In this alternative embodiment, the sequence number The user device sends a set of identifying Information to 
is preferably a simple counting function, so that the user can the remote processor. The. identifying information corn- 
ea sily determine if any third party has used the account 33 prises a user device ID for the user device, a user ID for the 

In a preferred embodiment where the card reader 210 is user associated with the user device, and a sequence number 

located a point-of-sale terminal or a sales location, the card 167 this access to the remote processor by the user device, 

read may skip the step of coupling to any local computer During the step, the remote processor awaits the identifying 

system 110 and use the communication path 101 to couple information from the user device. The remote processor 

directly to the central computer system 100 for authorization 60 authenticates the identifying information from the user 

and verification of the card 220. device. The unique ID for the user device is stared in the 

MFTTtnn for nimirnwr in^AirrannTTPn protected memory when the user device is manufactured or 

ACCESS BY CLONED DEVICES memory (NOVRAM), so that this information is not lost 
FIG. 3, comprising FIG. 3A and FIG. 3B collectively, 65 when the user device is powered down. The encryption 
shows a process flow diagram of a method for detecting parameters for the user device are also stored in the pro- 
unauthorized access by cloned devices. tected memory when the user device is manufactured or 
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serviced. Encryption parameters such as a password may a set of user IDs, each a unique identifier far a user 

also be altered by the user when the user device is properly authorized to use this user device, 

authenticated. Id a preferred embodiment, the user device the current sequence dumber, and an identifier for a 

and the remote processor use the encryption parameters to method for updating the sequence number, 

encrypt and decrypt messages on the communication path, 5 a set of profile encryption parameters, such as an encryp- 

so as to secure against reading or altering of those messages tion protocol (preferably the "DES" or "IVES" 

by .an unauthorized party. Preferably, the encryption param- protocols) and a set of encryption keys; and 

eters specify a key or set of keys far encryption using the a set of selected profile options, such as a typical calling 

"DES" or "IVES" data encryption standards. The user ID for telephone number associated with this user account, 

the user need not be stored in the protected memory, to At a step 322, the local computer system 110 compares 

particularly if there is more than one user who is authorized me sequence number transmitted with the sign-on message 

to use the user device. The sequence number for the user ^ sequence number in the account profile. The step 

device is stored in the protected memory. The user device 322 is shown in further detail in FIG. SB. 

may also store more than one sequence number, such as one ^ ? C would ff after perusal of 

, _ . _ „ m ^ BO/w this application, that comparison of sequence numbers could 

for each ren^te processor, 15 be performed by the central computer system 100, by the 

In a preferred embodiment, the device ID comprises a local comp uter system 110, or by another computer system, 

unique identifier assigned to the device when it is manufac- so long ^ ^sults of the comparison are used for authenti- 

tured. caring the user device 130 and are reported to the user device 

In a preferred embodiment, the account ID comprises a 130 so that the user can determine if any unauthorized access 

unique identifier assigned to the user account when it is 20 has occurred. 

created- Each user account is associated with a user who is In a first part of the step 322, the local computer system 

authorized to obtain services from the local computer system 110 compares the sequence number transmitted with the 

110 using that account Some user accounts may be associ- sign-on message with the sequence number in the account 

ated with more than one user, such as a credit card which is P">file. If the two values are equal, the local computer 

associated with more than one member of a family. Each 25 system 110 follows the ^QUAL" path arrow to a first part 

user account is generally associated with a billing statement, of the step 326. 

although in alternative embodiments some user accounts ff thc ^° values unequal, the local computer system 

may be bundled together in a joint billing statement, such as 110 proceeds with the second part of the step 322. In a 

a corporate credit card account second part of the step 322, the local computer system 110 

In a preferred embodiment, the sequence number com- 30 ^TT*?^ * flag ** T ^VT^ 

prises a numeric value which is attained synchronized 1R ^ S °f 01 m( f f««s attempte has been made 

ETeen "ntr* computer system 100 SSZ user *** this particular user device 130, in which me handle 

device 130. The sequencTnumber is stored in nonvolatile P™" 3 f * ****** *■ «f Mce ^ ^ * the 

storage at the user device 130, so that the most recently used , f^^^f*^ T coim.uter system 100 foltows 

sequence number is available^ to the user device 130 when 35 P ^ * * P ° f 

the method 300 is performed. Similarly, the sequence num.- f ' . ^ 

ber is stored in nonvolatile storage or on a mass storage " ? ? cmbodiment ' * e 

, . . m . ^ T\ ^ 100 checks the sequence flae onlv if the seauence number 

device at the central computer system 100, so that the most " w ~~ " «4"cuuc vmy u mc ^ucuw; 

recently used sequcnceTuniber is available to the central transnu ^ d b { uscr J 30 18 «^stent with the 

L^uL systemV when the method 300 is performed. 40 f^?*? T -cessafter a 

7* * ^ , _ failed handshake. For example, if sequence numbers are 

In a preferred embodiment, the nonvolatile storage in ^ ^ Qatural DUmbcr ^ , two, three, ... , 

which the sequence number is stored conmrises a protected £ ^ ^ ^ uo rcquircs mc scqucncc numbcr 

memory having .the property that it self-erases if an i attempt tQ ^ somethin d four OT flvC( ^fort checking the 

is made to read the protected memory id other than the 4J sequence flag ^ scquEnce numbers „. presumed to 

ordinary course. indicate an attempt at unauthorized access. 

At a step 321, the local computer system 110 receives the Similarly, in a preferred embodiment, the local computer 

sign-on message sent by the user device in the step 313, and svstem uo ^ sequence flag only a j^ted number 

requests the central computer system 100 to retrieve an of time3) eg., a maximum of three access attempts, 

account profile associated with the account ID which was w ^ a preferred embcxHment, the user (or the user device 

transmitted. The account profile comprises information j30) maintains an alternative telephone number to call for 

about the selected user account, and includes the sequence access, and/or a secondary authentication path (e.g., requir- 

number associated with that user account mg a secondary password or authentication with a human 

In a preferred embodiment, more than one user device 130 operator), so as to provide the user an method for access in 

may be associated with a single user account, but in that 55 mc ^tnt that the need for access is urgent 

circumstance, each such user device 130 has its own profile. If the two values are unequal and the sequence flag is not 

The sign-on message comprises a device ID for the user set? th e local computer system 110 proceeds to the step 323. 

device 130 sending the message, so the central computer a $tc p 333, the local computer system 110 obtains a set 

system 100 is able to determine which profile to retrieve if 0 f "caller ID" information and records that information, 

mere are several profiles for a user account ^ preferably, the caller ID Informarjon comprises information 

In a preferred embodiment, each profile comprises infer- about the calling telephone number, where that information 

matron shown in table 3-1: Is available from the telephone network service provider. In 

Table 3-1 a preferred embodiment, the local computer system U0 also 

records other Information about the call, such as the time it 

a device ID, the unique identifier for the user device; 65 occurred and the recipient telephone number. 

a set of account IDs, each a unique identifier far a user At a step 324, the local computer system 110 informs 

account authorized for access using this user device; relevant authorities (including the central computer system 
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100) that the user account has been subject to unauthorized At a step 317, the user device 130 restores the sequence 

access. Ia general, the unauthorized access is this particular number to the value it had before initiating the method 300. 

call, as unauthorized persons are unlikely to have die correct At a step 318, the user device 130 terminates the call, 

sequence number for transmission to the local computer At a step 328, the local computer system 110 determines 

system 110 in the sign-on message. However, if an unan- 5 if the handshake procedure completed properly. If not, the 

thorized person obtains the correct sequence number, the local computer system 110 proceeds to the step 329. If so, 

sequence number will be asynchronized between the sys- ±c locjd comp^ system no proceeds to the step 33L 

tern and the proper user device 130 and the next access At a stcp 329 , the system (both the central computer 

attempt by me authorized user will produce a sequence ^ m ^ thc local ^ ^em U0) increments 

number mismatch. Y . 

In a preferred onbodfanc^ the step 324 is performed 1 by 1 ^"33^ local m 

send a telecopy message to a set of preselected destination ^Lti ^ ' i»nim«u« 

telecopiers. For example, the preselected destination tele- the call. j • • ■ , 

copiers could comprise a telecopier associated with a known At a step 319, the user device 130 obtains services from 

authorized user. the local computer system 110. In a preferred emr>odiment, 

At a step 325, the local computer system 110 denies 15 the user device 130 processes a customer order placed by the 

access to the user device 130 and terminates the calL user- After processing thc order or obtaining other services, 

At a step 314, the user device 130 begins the hanilshalrft the user device 130 proceeds to the step 318 and terminates 

procedure with the local computer system 110. the calL 

At a step 326, the local computer system 110 responds to At a step 331, thc local computer system 110 authenticates 

the sign-on message from the user device 130. The step 326 20 the user to an order processing subsystem, which processes 

is shown in further detail in FIG. 3B. the order or perforins other services for the user. After 

In a first part of the step 326, the user's sequence number processing the order or performing other services, the local 
and the system's sequence number arc equal. The local computer system 110 terminates the call, 
computer system 110 sends an "EQUAL" message to the In a preferred embodiment, the user account comprises a 
user device 130, and proceeds to the stcp 327. In response 25 first account in a plurality of user accounts for thc same user, 
to the "EQUAL" message, the user device proceeds to the about which information is maintained at the central corn- 
step 315. puter system 100. If any one of the user's user accounts is 

In a second part of the step 326, the user's sequence compromised by an unauthorized access, that unauthorized 

number and the system's sequence number arc unequal, but access will be detected by the local computer system 110 in 

the sequence flag is set The local computer system UO M response to a mismatch between the system's sequence 

sends a 4 TRY_AGAIN" message to the user device 130, number and thc user's sequence number. The local computer 

and proceeds to the step 321. In response to the 'TRY system 110 so informs the central computer system 100. 

AGAIN" message, the user device proceeds to the step 320, When the user accesses any other one of the user's user 

where it updates the user's sequence Dumber, and thereafter accounts using a (possibly different) local computer system 

proceeds to (he step 313. 35 U0, thc central computer system 100 informs the local 

At a step 315, the user device 130 updates its recorded computer system 110 of the unauthorized access to the 

sequence number. user's other user account, and the local computer system 110 

In a preferred embodiment, the sequence number is so informs the user, 

selected from a pseudorandom sequence and the method for 

updating the sequence number is to select the next pseudo- 40 METHOD FOR ELECTRONIC SIGNATURE 

random number in the pseudorandom sequence using a Q 4 ^.^^ mQ 4A? na 4B> and fl ^ 

pseudorandom number generator. Pseudorandom number ZwsTdJi , flow diamm of a irXd for 

generators arc described in D. Knuth, The Art of Computer sLmarurc. ^ 

Programming (vol. 2: Seminumerical Algorithms) _ . . , 

(Addison- Wesley 1968) 45 The uscr dcvicc 130 indicates to the central computer 

However, those skilled in the art would recognize, after W^m 1#0 thflt activit y h authorized by the user by 

perusal of this application, that the method for updating the sending an encrypted message comprising identifying infer- 

sequence number may comprise any one of a wide variety of nation for the user. The user device 130 bundles together a 

techniques, such as (1) adding a constant to the sequence set of information into a message and encrypts that infor- 

number, (2) multiplying the sequence number by a constant, 50 matioa for transmission to the central computer system 100. 

or (3) some combination thereof. The sign-on message 400 described with regard to FIG. 3 

In alternative embodiments, a plurality of sequence num- comprises an account ID number 401, a device ID number 

bers may be associated with different message or tasks. For 402, a sequence number 403, and a media integrity code 

example, a first sequence number may be used for (he 404. The media integrity code 404 comprises a checksum or 

sign-on message and a second sequence number may be ss CRC code, to indicate whether any part of the message has 

used for other messages. In another example, a first been altered, damaged or garbled in transmission. The 

sequence number may be used for messages with relatively central computer system 100 or the local computer system 

higher security and a second sequence number may be used 110 receives the sign-on message 400, decrypts it, checks 

for messages with relatively lower security. the media integrity code 404, and identifies the separate 

At a step 327, the system (both the central computer 60 individual items of information, 

system 100 and the local computer system 110) updates its In a preferred embodiment, when the user desires to place 

recorded sequence number for the indicated user account, an order for goods or services, the user device 130 sends an 

and reseta the sequence flag. order-approval message 410 to thc central computer system 

At a step 316, the user device 130 determines if the 100 The order-approval message 410 comprises an order 

handshake procedure completed property. If not, the user 65 number 411, the device ID number 402, the current sequence 

device 130 proceeds with the step 317. If so, the user device number 403, a user ID number 412, and the media integrity 

130 proceeds with the step 319. code 404. The central computer system 100 receives the 
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order-approval message 410, decrypts it, checks the media 
integrity code 404, and identifies the separate individual 
items of information, in iflcc manner as for the sign-on 
message 400. However, in a preferred embodiment the 
sequence number 403 is not updated for the order-approval 5 
message 410, only for the sign-on message 400. The central 
computer system 100 then transmits selected information to 
the local computer system 110. 

In a preferred embodiment, when the user device 130 is 
about to send, to the central computer system 100 or the 1Q 
local computer system 110, data which is user sensitive, the 
user device 130 sends a sensitive-data message 420 to the 
central computer system 100 or to the local computer system 
110. The sensitive-data message 420 comprises the device 
ID number 402, the current sequence number 403, the user 15 
ID number 412, and the media integrity code 404. The 
central computer system 100 receives the sensitive-data 
message 410, decrypts it, checks the media integrity code 
404, and identifies the separate individual items of 
information, in like manner as for the sign -on message 400. ^ 
However, in a preferred embodiment the sequence number 
403 is not updated for the order-approval message 410, only 
for the sign-on message 400. The central computer system 
100 then transmits selected information to the local com- 
puter system 110, 25 

Alternative Embodiments 

Although preferred embodiments are disclosed herein, 
many variations are possible which remain within the 
concept, scope, and spirit of the invention, and these varia- 
tions would become clear to those skilled in the art after 
perusal of this application. 

I claim: 

1. A method for both authorizing access from a user 
device to an electronic account record stored at a computer 
authentication device, and for detecting attempted unautho 33 
rized access to said electronic account record, said method 
comprising the steps of: 
recording at said computer authentication device an plu- 
rality of access sequence numbers and an account ^ 
profile consisting essentially of an account identifica- 
tion number and a user device identification number 
and associating said recorded account profile with said . 
electronic account record at said computer authentica- 
tion device; 4J 
independently recording at said user device the same 
plurality of access sequence numbers and said account 
profile; 

selecting at said authentication device from among said 
plurality of access sequence numbers a first access 50 
sequence number and associating said first access 
sequence number with said electronic account record; 

independently selecting at said user device the same first 
access sequence number and associating said first 
access sequence number with said account profile at 53 
said user device; 

Q-ansmitting a request for electronic access to said elec- 
tronic account record from said user device to said 
computer authentication device, wherein said request 
comprises said first access sequence number and said so 
account profile; 

receiving said request at said computer authentication 
device and comparing said first access sequence num- 
ber and said account profile received from said user 
device with said first access sequence number and 63 
account profile associated with said electronic account 
record; 
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determining at said computer authorization device that 
said received first access sequence number and said 
associated first access sequence number are the equal or 
unequal; 

authorizing access to said electronic account record when 
said determination is equal; 

whether or not said first access sequence numbers arc 
equal or unequal, independently selecting from said 
plurality a second access sequence number at said user 
device and replacing said first access sequence number 
with said second access sequence number; 

only if said first access sequence numbers are equal, 
independently selecting from said plurality a second 
access sequence number at said computer authentica- 
tion device and replacing said first associated access 
sequence number with said second access sequence 
number, 

wherein said method for detecting attempted unautho- 
rized access comprises the step of determining that said 
first access sequence number or said account profile 
received from said user device and said first sequence 
number or account profile associated with said elec- 
tronic account record are unequal and reporting the 
unequal finding to an account holder, a user, the com- 
puter authorization device or the user device. 

2. The method of claim 1, further comprising the step of 
denying the user device electronic access at said authoriza- 
tion device when said step of determining that said first 
access sequence number or said account profile received 
from said user device and said first sequence number asso- 
ciated or account profile associated with said electronic 
account record are unequal and terminating the transmission 
from said user device. 

3. The method of claim 1, wherein said step of reporting 
said unequal finding comprising sending a message to a 
pre- selected destination. 

4. The method of claim 1, further comprising the steps of: 
recording at said computer authentication device a user 

device identification number and associating said user 
device identification number with said electronic 
account record; 

independently recording at said user device the same user 
device identification number, 

wherein said step of transmitting a request for electronic 
access from said user device further comprises trans- 
mitting said user device identification number, and, 

wherein said step of authorizing electronic access to said 
electronic account record further comprises determin- 
ing at said computer authorization device that said 
received user identification number and said recorded 
user identification number associated with the elec- 
tronic account record are the same. 

5. The method of claim 1, further comprising the steps of: 
recording at said computer authentication device a user 

voice print and associating said user voice print with 
said electronic account record; 

wherein said step of transmitting a request for electronic 
access from said user device further comprises trans- 
mitting a user voice message; and, 

wherein said step of authorizing electronic access to said 
electronic account record further comprises determin- 
ing at said computer authorization device that said 
received user voice message and said recorded user 
voice print are substantially the same. 

6. The method of claim 5, wherein said step of 
authorizing, electronic access to said electronic account 



09/02/2003, EAST Version: 1.04.0000 



5,696,824 



13 



14 



10 



record further comprises determining at said computer 
authorization device that said received user voice and said 
recorded user voice are substantially same comprises a 
detcrrnination made by a human operator. 

7. The method of claim 1, further comprising the steps of: 5 
recording at said computer authentication device a user 

FIN and associating said user PIN with said electronic 
account record; 

wherein said step of transmitting a request for electronic 
access from said user device further comprises trans- 
mitting the user FIN; and, 

wherein said step of authorizing electronic access to said 
electronic account record further comprises determin- 
ing at said computer authorization device that said J5 
received user PIN and said recorded user PIN are the 
same. 

8. The method of claim 1, wherein said method for 
detecting unauthorized access further comprises the steps of: 

recording at said authentication device and at said user 20 
device that said first access sequence number received 
from said user device and said first sequence number 
associated with said electronic account record were not 
the same. 

9. The method of claim 1, wherein said plurality of access 25 
sequence numbers and said selected first access sequence 
number and said selected second access sequence number 
are stored in a protected memory at said user device. 

19. The method of claim 1, wherein said account profile 
and said sign on message further comprises data selected 30 
from among a user identification number, a voice print, a 
user telephone number, a PIN or an encryption profile 
comprising an encryption protocol, a selected protocol 
option and an encryption key. 

11. The method of claim 1, wherein after said indepen- 35 
dently selecting step at said user device and prior to said step 

of Transmitting, said user device further performs the addi- 
tional steps of: 
encrypting said sequence number at said user device into 

an encrypted message; 40 
transmitting said encrypted message to said authentica- 
tion device; and the additional step at said computer 
authentication device performed after said receiving 
step of: 

decrypting said encrypted message. 

12. The method of claim 1, wherein after said determining 
step prior to said replacing of said first access sequence 
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number the computer authentication devtee performs the 
additional step of computing a pseudorandom number to be 
used as said second sequence number in said replacing step. 

13. The method of claim 1, wherein after said receiving 
step and before said deterrmning step said method further 
comprises the steps of: 

initiating a handshake process between said computer 
authentication device and said user device; 

storing a second sequence number in a sequence flag 
location in said computer authentication device; 

independently replacing said first sequence number with 
said second sequence number at said user device; 

attempting to perform a step of completing said hand- 
shake process between said computer authentication 
device and said user device; and 

retrieving said sequence second sequence number from 
said sequence flag location if said attempt to perform 
said step of completing fails. 

14. A method for detecting unauthorized access to an 
account at an authentication device, said method comprising 
the steps of: 

recording a first sequence number and associating said 
sequence number with said account at the authentica- 
tion device; 

recording a second sequence number at a location in a 
user device; 

transmitting a request from a user device to the authen- 
tication device, wherein said request comprises said 
second sequence number; 

controlling access to said account in response to the 
request for access by determining whether said first 
sequence number and said second sequence number are 
the same or different and allowing access only if the 
first sequence number and the second sequence number 
are the same; 

replacing said first sequence number with a third sequence 
number and associating said third sequence number 
with said account; 

transrmtting said third sequence number to said location 
in said user device; and 

replacing said second sequence number in said location in 
said user device with said third sequence number. 
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